diff --git a/lib/libwebsockets.h b/lib/libwebsockets.h
index f68a4a3f..5700a04b 100644
--- a/lib/libwebsockets.h
+++ b/lib/libwebsockets.h
@@ -47,7 +47,15 @@ enum libwebsocket_write_protocol {
 	LWS_WRITE_PING,
 	LWS_WRITE_PONG,
 
-	LWS_WRITE_NO_FIN = 0x40
+	/* flags */
+
+	LWS_WRITE_NO_FIN = 0x40,
+	/*
+	 * client packet payload goes out on wire unmunged
+	 * only useful for security tests since normal servers cannot
+	 * decode the content if used
+	 */
+	LWS_WRITE_CLIENT_IGNORE_XOR_MASK = 0x80
 };
 
 struct libwebsocket;
diff --git a/lib/parsers.c b/lib/parsers.c
index 64d7fb17..a97e75aa 100644
--- a/lib/parsers.c
+++ b/lib/parsers.c
@@ -1131,19 +1131,27 @@ int libwebsocket_write(struct libwebsocket *wsi, unsigned char *buf,
 
 	if (wsi->client_mode && wsi->ietf_spec_revision == 4) {
 
-		if (libwebsocket_04_frame_mask_generate(wsi)) {
-			fprintf(stderr, "libwebsocket_write: "
-					      "frame mask generation failed\n");
-			return 1;
-		}
-
 		/*
-		 * use the XOR masking against everything we send
-		 * past the frame nonce
+		 * this is only useful for security tests where it's required
+		 * to control the raw packet payload content
 		 */
 
-		for (n = 0; n < (len + pre + post); n++)
-			buf[n - pre] = xor_mask(wsi, buf[n - pre]);
+		if (!(protocol & LWS_WRITE_CLIENT_IGNORE_XOR_MASK)) {
+
+			if (libwebsocket_04_frame_mask_generate(wsi)) {
+				fprintf(stderr, "libwebsocket_write: "
+					      "frame mask generation failed\n");
+				return 1;
+			}
+
+			/*
+			 * use the XOR masking against everything we send
+			 * past the frame nonce
+			 */
+
+			for (n = 0; n < (len + pre + post); n++)
+				buf[n - pre] = xor_mask(wsi, buf[n - pre]);
+		}
 
 		/* make space for the frame nonce in clear */
 		pre += 4;